IETF Logo Mail Archive

Re: [Add] data integrity and DNSSEC or DoH/DoT

Christian Huitema <huitema@huitema.net> Tue, 03 September 2019 18:33 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9B6B120154 for <add@ietfa.amsl.com>; Tue, 3 Sep 2019 11:33:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xsta_Ajm1t-4 for <add@ietfa.amsl.com>; Tue, 3 Sep 2019 11:33:04 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEB4E120152 for <add@ietf.org>; Tue, 3 Sep 2019 11:33:03 -0700 (PDT)
Received: from xse314.mail2web.com ([66.113.197.60] helo=xse.mail2web.com) by mx65.antispamcloud.com with esmtp (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1i5Dbp-000A1O-QS for add@ietf.org; Tue, 03 Sep 2019 20:33:00 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 46NFtp61C9z4NLk for <add@ietf.org>; Tue, 3 Sep 2019 11:32:50 -0700 (PDT)
Received: from [10.5.2.31] (helo=xmail09.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1i5Dbm-0007HC-Mw for add@ietf.org; Tue, 03 Sep 2019 11:32:50 -0700
Received: (qmail 11331 invoked from network); 3 Sep 2019 18:32:50 -0000
Received: from unknown (HELO [192.168.1.105]) (Authenticated-user:_huitema@huitema.net@[172.58.46.209]) (envelope-sender <huitema@huitema.net>) by xmail09.myhosting.com (qmail-ldap-1.03) with ESMTPA for <add@ietf.org>; 3 Sep 2019 18:32:49 -0000
To: Neil Cook <neil.cook@open-xchange.com>
Cc: ADD Mailing list <add@ietf.org>
References: <A1128702-1E19-4657-9740-E84AE09992F2@piuha.net> <A7EA862E-8E80-40E3-834D-E628988C0A24@virtualized.org> <CAFWeb9KT=2JL0oHUgJ2WMcduR3na+hP2QncvRR4YurmqsAWxTA@mail.gmail.com> <59E0EC53-0E30-431C-8376-52C7BFC121A8@virtualized.org> <CAFWeb9+Z7RmXEr46qx5PaUcxh2R3+HXhrZeW-8QEMX4HLt7a-w@mail.gmail.com> <589DAFCB-1BDC-4156-A2CA-179C4559A6B2@virtualized.org> <cf2152d7-8618-7ad2-b8f9-7a259ab5df19@cs.tcd.ie> <683A176C-3CE6-4866-A736-F2A7465FA5B5@rfc1035.com> <CABcZeBPmWYBKcKhjTUBLw62xJT=OXbp3v6MZ+8Gtr=gFmQ-g6A@mail.gmail.com> <E40CC478-BBA1-4DA9-8F6A-FE1782E0F27E@rfc1035.com> <CABcZeBMnG_HJHYrGpQD1LWWNi8zuhAm=0Uy2HNRRmhYS9PsCtg@mail.gmail.com> <06613304-C325-4BA4-AB6F-32D79DFCECA0@open-xchange.com> <CABcZeBMr6WtzbyPPA6W1Da0A9bUoowMVucbBf5K0BQgqZrNdwg@mail.gmail.com> <F66D555F-7533-4B42-A036-016345F7 65A7@open-xchange.com> <0B481BB1-5BF9-409F-B41D-2DFC4675450A@huitema.net> <245874B8-BDB9-4947-86E0-F3A739DA255F@open-xchange.com>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <a0293337-d0a8-f014-c78b-1d3eb87d705f@huitema.net>
Date: Tue, 03 Sep 2019 11:32:49 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <245874B8-BDB9-4947-86E0-F3A739DA255F@open-xchange.com>
Content-Type: multipart/alternative; boundary="------------2025E14967998441B57C85EA"
Content-Language: en-US
X-Originating-IP: 66.113.197.60
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0duM4P579sYYbdH8Mt+sPVWpSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDNzOpszOkW3faMySFwG163+fH zJ6mVE7ewsipSVIfs4b65hZiwwBN/M9hcHbHiOytgyWFxOA5dILPypvKxNVhWQwOVcNrdpWfEYrY fLBY3+cqR/Azv01OJhPK4SsoJkVNmdySlZou9qHIGOZDEEo7O2nS6C1mWTD2n8BB0gTSSfDtw+Ut ziY+nbU7qa50sEXj8hEv6ylbrSataIASdByf+qyWDcKgIew/Pqmv8CiR0A+Ffy7fEg460Hn2xYnW avStyzAiWbbj13U46jbWFIz21cHX/YzWyFk7762whX3QQ+5uhkPm88V7ziklAaTl19sU919xeAvO xjeQEcL5lNmXdGd9U9Oojh2QY0MMPWjRsTVhMmX9VvKuj6psZloQqgYBwH0r+197ykuYmDR9wbL2 DBEuqNMl4E+tMKMsv/A3u4xFRxF9LSHNsZFl22lrRRn/H0knlMgOQTVp+x1fo2EPm5KHzmP2+HxV ijKKPtqDwZd7wJgR9gN8n34hQyCWBa3zvlDP3IvNKWbicgplJuc0yHD6uIoYZDDeZ4RICBEJ4EN8 g2fGU86cSswil+kDetUfttbLHdNhiUq2jBEvMVLlZ4GThCScvU0cCIiHSQbmcVLNUEuihv2tGkzg cw8tay0xWDvBhuNO4tpnc980Bg7nrd5lvG1f3sxK9YiXfxnyJdCFg/K2AjW9YY0/j/JB4PN5XPWl FdaGOH191uXjgjQN/bk/tOvsMDZmQNfeGxdXg4FBjk+4EVMNxokGCQ2fdR5J83g9ueTJOU6a76yp yxjdeg8YhWenlMfuvb1mNY5/IPiuedK/Z3MvnAyDmuOaA5CGZRWsGw8ac2InzcAP/gmxwNpms+rB 6wJM+NNhN3aT35NSU/fjw6KbqLw80r1gDO3m6U0LjBzYuQztdAThgtWSU3qCINKqlAdh+ePAcEwD s/8=
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Yb4DujUiseaPZC8njOLnlrWpgfE>
X-Mailman-Approved-At: Wed, 04 Sep 2019 09:06:57 -0700
Subject: Re: [Add] data integrity and DNSSEC or DoH/DoT
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Sep 2019 18:33:08 -0000

On 9/3/2019 9:35 AM, Neil Cook wrote:
>
>
>> On 3 Sep 2019, at 18:16, Christian Huitema <huitema@huitema.net
>> <mailto:huitema@huitema.net>> wrote:
>>
>>  
>>
>> On Sep 3, 2019, at 7:34 AM, Neil Cook
>> <neil.cook=40open-xchange.com@dmarc.ietf.org
>> <mailto:neil.cook=40open-xchange.com@dmarc.ietf.org>> wrote:
>>
>>>
>>>
>>>> On 3 Sep 2019, at 15:46, Eric Rescorla <ekr@rtfm.com
>>>> <mailto:ekr@rtfm.com>> wrote:
>>>>
>>>>
>>>>     It’s not entirely  useless. The problem it does solve is giving
>>>>     the user a better experience when a site is blocked for
>>>>     resolvers that support this extended Error Code. Currently for
>>>>     HTTPS the user will end up with a TLS connection error of some
>>>>     kind (or a blank page in some browsers). If a resolver returns
>>>>     a “blocked/censored/prohibited” response, then the browser can
>>>>     tell the user that the web page was blocked with an informative
>>>>     message. Assuming this becomes the default behaviour for
>>>>     non-malicious resolvers then I think it will a good signal for
>>>>     distinguishing  "this is malware blocking" from "this resolver
>>>>     is malicious”.
>>>>
>>>>
>>>> I'm not following. Suppose that we add an error code that says
>>>> "this site has malware". Now, I operate a resolver which is
>>>> malicious in the sense that it wishes to block a certain form of
>>>> content (say, access to the IETF) but don't want the people whose
>>>> content I am blocking is being blocked for that reason. So, instead
>>>> I return "this site has malware".
>>>>
>>>> My point here is that a code of this type only tells you what the
>>>> resolver *asserts* the reason it blocked it is, it doesn't
>>>> necessarily tell you what the actual reason that the content was
>>>> blocked.
>>>>
>>>
>>> Ok yes I understand. The blocking reason wouldn’t be that useful in
>>> the general case of not knowing whether a resolver was malicious.
>>> However I think the fact that the resolver is telling you that the
>>> content is blocked is still useful, no matter what the reason for
>>> the blocking is, for the reason described above. For example in your
>>> use-case, the user would see “this site is blocked by the DNS
>>> resolver” (or whatever) rather than “TLS connection error” which
>>> would be the case today.
>>
>> Is there a way to explain how the message is blocked? Such as, "this
>> domain is listed as malware in RBZ malware.example.net
>> <http://malware.example.net/>." Information like that would allow the
>> client to make an informed decision.
>>
>
> The proposal as it’s currently specified doesn’t allow further
> granularity. Also Eric’s point is that you can’t trust the reason the
> resolver gives you, so this wouldn’t be useful. Assuming the client
> did trust the resolver however it may be useful;  although I’m not
> sure how the client would make an “informed decision” - I mean, what
> can the client do except try a different resolver perhaps?

If the client knows why the query was rejected, then it can look a bit
further. Take my example, in which the server would announce that the
domain is marked as blocked in a specific RBZ, "malware.example.net".
The client may decides whether it trusts that specific RBZ. Does it have
a good reputation, or is it known for a trigger-happy behavior leading
to all kinds of false positive? And then, the client may want to check
whether the domain is in fact listed in that specific RBZ, or whether
the resolver is making that up. It can indeed do that by contacting
another resolver. It may or may not do that all the time, it may or may
not expose that as some kind of option. My point is that more
transparency always helps.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email